Service Thread Suspension
Description: A more advanced evasion technique that targets critical system services responsible for logging or monitoring, such as Prefetch (SysMain), PCA (PcaSvc), Event Logging (EventLog), or Diagnostics (DPS). Instead of completely stopping the service (which is easily detectable via
sc queryor service managers), the bypasser suspends specific threads within the service's process (oftensvchost.exe).Mechanism: Requires tools that can interact with process threads, such as Process Hacker / System Informer, or custom scripts/tools using Windows API functions like
OpenThread,SuspendThread, andResumeThread. The bypasser identifies the specific thread(s) associated with the core functionality of the target service (often linked to its main DLL, e.g.,sechost.dllfor SysMain,pcasvc.dllfor PcaSvc,wevtsvc.dllfor EventLog,dps.dllfor DPS) and places them into a suspended state.Why Cheaters Use It: This allows the main service process (
svchost.exe) to remain listed as "Running" in Task Manager and service queries, potentially fooling basic checks. However, the suspended thread(s) prevent the service from performing its actual function (e.g., writing Prefetch files, logging events, recording DPS data). It's a stealthier way to disable logging compared to stopping the service entirely.Detection: Requires direct inspection of the threads within the relevant service processes using a tool like System Informer (running as Administrator):
Locate the
svchost.exe(or potentially dedicated process) associated with the target service (e.g., SysMain, PcaSvc, EventLog, DPS).Right-click the process -> Properties -> Threads tab.
Examine the list of threads. Look for threads with a state of "Suspended".
Pay close attention to the "Start address" column. If suspended threads have start addresses pointing within the main DLL associated with that service's functionality (e.g.,
sechost.dll,wevtsvc.dll), it is highly suspicious and strongly indicative of deliberate tampering to disable logging.
Last updated